The primary aim of this paper is to introduce a new class of functions to facilitate the design of cryptographically good functions. It turns out that

Size: px

Start display at page:

Download "The primary aim of this paper is to introduce a new class of functions to facilitate the design of cryptographically good functions. It turns out that"

Ella Cummings
5 years ago
Views:

1 Plateaued Functions Yuliang Zheng 1 and Xian-Mo Zhang 1 Monash University, Frankston, Melbourne, VIC 3199, Australia yuliang.zheng@monash.edu.au, The University ofwollongong, Wollongong, NSW 5, Australia xianmo@cs.uow.edu.au Abstract. The focus of this paper is on nonlinear characteristics of cryptographic Boolean functions. First, we introduce the notion of plateaued functions that have many cryptographically desirable properties. Second, we establish a sequence of strengthened inequalities on some of the most important nonlinearity criteria, including nonlinearity, propagation and correlation immunity, and prove that critical cases of the inequalities coincide with characterizations of plateaued functions. We then proceed to prove that plateaued functions include as a proper subset all partiallybent functions that were introduced earlier by Carlet. This settles an open question that arises from previously known results on partiallybent functions. In addition, we construct plateaued, but not partiallybent, functions that have many properties useful in cryptography. Key Words Bent Functions, Cryptography, Nonlinear Characteristics, Partially-Bent Functions, Plateaued Functions. 1 Motivations In the design of cryptographic functions, one often faces the problem of ful- lling the requirements of a multiple number of nonlinearity criteria. Some of the requirements contradict others. The most notable example is perhaps bent functions while these functions achieve the highest possible nonlinearity and satisfy the propagation criterion with respect to every non-zero vector, they are not balanced, not correlation immune and exist only when the number of variables is even. Another example that clearly demonstrates how some nonlinear characteristics may impede others is partially-bent functions introduced in []. These functions include bent functions as a proper subset. Partially-bent functions are interesting in that they can be balanced and also highly nonlinear. However, except those that are bent, all partially-bent functions have non-zero linear structures, which are considered to be cryptographically undesirable.

2 The primary aim of this paper is to introduce a new class of functions to facilitate the design of cryptographically good functions. It turns out that these cryptographically good functions maintain all the desirable properties of partiallybent functions while possess no non-zero liner structures. This class of functions are called plateaued functions. To study the properties of plateaued functions, we establish a sequence of inequalities concerning nonlinear characteristics of functions. We show that plateaued functions can be characterized by the critical cases of these inequalities. In particular, we demonstrate that plateaued functions reach the upper bound on nonlinearity given by the inequalities. We also examine relationships between plateaued functions and partiallybent functions. We show that partially-bent functions must be plateaued while that the converse is not true. This disproves a conjecture and motivates us to construct plateaued functions without non-zero linear structures. Other useful properties of plateaued functions include that they exist for both even and odd numbers of variables, can be balanced and correlation immune. Boolean Functions Denition 1. We consider functions from V n to GF () (or simply functions on V n ), V n is the vector space ofn tuples of elements from GF (). Usually we write a function f on V n as f(x), where x =(x 1 ::: x n ) is the variable vector in V n. The truth table of a function f on V n is a (0 1)-sequence dened by (f( 0 ) f( 1 ) ::: f( )), and the sequence of f is a (1 ;1)-sequence de- ned by((;1) f (0) (;1) f (1) ::: (;1) f (n;1) ),where 0 =(0 ::: 0 0), 1 = (0 ::: 0 1), :::, n;1 ;1 =(1 ::: 1 1). Thematrix of f is a (1 ;1)-matrix of order n dened bym =((;1) f (ij ) ) where denotes the addition in GF (). f is said to be balanced if its truth table contains an equal number of ones and zeros. Given two sequences ~a =(a 1 a m )and ~ b =(b 1 b m ), their componentwise product is dened by~a~ b =(a1 b 1 a m b m )andthescalar product of ~a and ~ b, denoted by h~a ~ bi, is dened as the sum of the component-wise multiplications, where the operations are dened in the underlying eld. In particular, if m = n and ~a, ~ b are the sequences of functions f and g on V n respectively, then~a ~ b is the sequence of f g where denotes the addition in GF (). An ane function f on V n is a function that takes the form of f(x 1 ::: x n )= a 1 x 1 a n x n c, where denotes the addition in GF () and a j c GF (), j =1 ::: n.furthermore f is called a linear function if c =0. A(1 ;1)-matrix A of order m is called a Hadamard matrix if AA T = mi m, where A T is the transpose of A and I m is the identity matrix of order m. A Sylvester-Hadamard matrix of order n, denoted by H n, is generated by the following recursive relation H 0 =1 H n = Hn;1 H n;1 H n;1 ;H n;1 n =1 ::::

3 Let `i, 0 i n ; 1, be the i row ofh n.then`i is the sequence of a linear function ' i (x) dened by the scalar product ' i (x) =h i xi, where i V n is the binary representation of integer i, i =0 1 ::: n ; 1. The Hamming weight of a (0 1)-sequence, denoted by W (), is the number of ones in the sequence. Given two functions f and g on V n, the Hamming distance d(f g) between them is dened as the Hamming weight of the truth table of f(x) g(x), where x =(x 1 ::: x n ). Denition. The nonlinearity of a function f on V n, denoted by N f, is the minimal Hamming distance between f and all ane functions on V n, i.e., N f = min i=1 ::: n+1 d(f ' i ) where ' 1, ', :::, ' n+1 are allthe ane functions on V n. The following characterizations of nonlinearity will be useful (for a proof see for instance [6]). Lemma 1. The nonlinearity of f can be expressed by N f = n;1 ; 1 maxfjh `iij 0 i n ; 1g where is the sequence off and `i is the ith row of H n, i =0 1 ::: n ; 1. Denition 3. Let f be a function on V n. For a vector V n, denote by () the sequence off(x ). Thus (0) is the sequence off itself and (0) () is the sequence off(x) f(x ). Set () =h(0) ()i, the scalar product of (0) and (). () is also called the auto-correlation of f with a shift. Denition 4. Let f be a function on V n.wesaythatf satises the propagation criterion with respect to if f(x) f(x ) is a balanced function, where x =(x 1 ::: x n ) and is a vector in V n. Furthermore f is said to satisfy the propagation criterion of degree k if it satises the propagation criterion with respect to every non-zero vector whose Hamming weight is not larger than k (see [7]). The strict avalanche criterion (SAC) [11] is the same as the propagation criterion of degree one. Obviously, () = 0 if and only if f(x)f(x) is balanced, i.e., f satises the propagation criterion with respect to. Denition 5. Let f be a function on V n. V n is called alinear structure of f if j()j = n. For any function f, ( 0 )= n,where 0 = 0, the zero vector on V n. Hence the zero vector is a linear structure of every function on V n.itiseasytoverify that the set of all linear structures of a function f form a subspace of V n,whose dimension is called the linearity of f. It is also well-known that if f has non-zero linear structures, then there exists a nonsingular nn matrix B over GF () such that f(xb) =g(y) h(z), where x =(y z), x V n, y V p, z V q, p + q = n, g

4 is a function on V p and g has no non-zero linear structures, h is a linear function on V q. Hence q is equal to the linearity off. There exist a number of equivalent denitions of correlation immune functions [1, 4]. It is easy to verify that the following denition is equivalent to Denition.1 of [1]: Denition 6. Let f be a function on V n and let be its sequence. Then f is called a kth-order correlation immune function if and only if h `i = 0 for every `, the sequence of a linear function '(x) = h xi on V n constrained by 1 W () k. The following lemma is the re-statement of a relation proved in Section of []. Lemma. For every function f on V n,wehave (( 0 ) ( 1 ) ::: ( ))H n =(h `0i h `1i ::: h ` i ): where `i is the ith row of H n, j =0 1 ::: n ; 1. 3 Bent Functions and Partially-bent Functions Notation 1 Let f be a function on V n, the sequence of f and `i denote the ith row of H n, i =0 1 ::: n ; 1. Set = = fi j 0 i n ; 1 h `ii 6= 0g, < = f j () 6= 0 V n g and M =maxfj()jj V n 6= 0g It is easy to verify that #=, #< and M are invariant under any nonsingular linear transformation on the variables, where # denotes the cardinal number of aset. P Since h `ji = n (Parseval's equation, Page 416, [5]) and ( 0 )= n, neither = nor < is an empty set.= reects the correlation immunity property off, while< reects its propagation characteristics and M forecasts the avalanche property of the function. Therefore information on #=, #< and M is useful in determining important cryptographic characteristics of f. Denition 7. A function f on V n is called a bent function [8] if h `ii = n for every i =0 1 ::: n ; 1, where `i is the ith row of H n, i =0 1 ::: n ; 1. Abent function on V n exists only when n is even, and it achieves the maximum nonlinearity n;1 ; 1 n;1.from [8] and Parseval's equation, we have the following: Theorem 1. Let f be a function on V n and denote the sequence off. Thenthe following statements are equivalent: (i) f is bent, (ii) for each i, 0 i n ; 1, h `ii = n where `i is the ith row of H n, i =0 1 :::, (iii) #< =1, (iv) M =0, (v) the nonlinearity of f, N f, satises n;1 ; 1 n;1, (vi) the matrix of f is an Hadamard matrix.

5 An interesting theorem of [] explores a relationship between #= and #<. This result can be expressed as follows. Theorem. For any function f on V n, we have (#=)(#<) n, where the equality holds if and only if there exists a nonsingular nn matrix B over GF () andavector V n such that f(xb ) =g(y)h(z), where x =(y z), x V n, y V p, z V q, p + q = n, g is a bent on V p and h is a linear function on V q. Based on the above theorem, the concept of partially-bent functions was also introduced in the same paper []. Denition 8. A function on V n is called apartially-bent function if (#=)(#<) = n. One can see that partially-bent functions include both bent functions and ane functions. Applying Theorem together with properties of linear structures, or using Theorem of [10] directly, we have Proposition 1. A function f on V n is a partially-bent function if and only if each j()j takes the value of n or 0 only. Equivalently, f is a partially-bent function if and only if < is composed of linear structures. Some partially-bent functions have a high nonlinearity and satisfy the SAC or the propagation criterion of a high degree. Furthermore, some partially-bent functions are balanced. All these properties are useful in cryptography. 4 Plateaued Functions Now we introduce a new class of functions called plateaued functions. Here is the denition. Denition 9. Let f be a function on V n and denote the sequence off. Ifthere exists an even number r, 0 r n, such that #= = r and each h `ji takes the value of n;r or 0 only, where `j denotes the jth row of H n, j =0 1 :::, then f is called arth-order plateaued function on V n. f is also called aplateaued function on V n if we ignore the particular order r. Due to Parseval's equation, the condition #= = r can be obtained from the condition \each h `ji takes the value of n;r or 0 only, where `j denotes the jth row ofh n, j =0 1 ::: n ; 1". For the sake ofconvenience, however, we mentioned both conditions in Denition 9. The following result can be obtained immediately from Denition 9. Proposition. Let f be a function on V n. Then we have (i) if f is a rth-order plateaued function then r must be even, (ii) f is an nth-order plateaued function if and only if f is bent, (iii) f is a 0th-order plateaued function if and only if f is ane.

6 Th following is a consequence of Theorem 3 of [10]. Proposition 3. Every partially-bent function is a plateaued function. In the coming sections we characterize plateaued functions and disprove the converse of Proposition 3. 5 Characterizations of Plateaued Functions First we introduce Holder's Inequality [3]. It states that for real numbers a j 0, b P j 0, j =1 ::: k, P p and q P with p>1and p q = 1, the following is true: k ( j=1 ap j )1=p k ( j=1 bq j )1=q k j=1 a jb j where the quality holds if and only if there exists a constant 0suchthata j = b j for each j =1 ::: k. In particular, set p = q = inholder's Inequality. We conclude kx j=1 a j b j vut ( kx j=1 kx a j )( b j ) (1) where the quality holds if and only if there exists a constant 0 such that a j = b j for each j =1 ::: k. Notation Let f be a function on V n and denote the sequence of f. Let denote the real valued (0 1)-sequence dened as = (c 0 c 1 ::: c ) where c j = 1 if j = 0 otherwise and j V n, that is the binary representation of integer j. Write where each s j is an integer. We note that 6 4 h `0i h `1i. h ` i j=1 H n =(s 0 s 1 ::: s ) () P = h `ji = n where the second equality holds thanks to Parseval's equation. By using Lemma, wehave H n n. Noticing ( 0 )= n,weobtains 0 n + P j=1 s j( j )= n. Since 6 4 ( 0 ) ( 1 ) ( j )=0if j 6< (3) = ( ) P s 0 n + j < j>0 s j ( j P )= n. As s 0 =#=, where # denotes the cardinal number of a set, we have j < j>0 s j ( j )= n ( n X ; #=). Note that n ( n ; #=) = X s j ( j ) js j ( j )js M M (#<;1) (4) j < j>0 j < j>0

7 Hence the following inequality holds. s M M (#<;1) n ( n ; #=) (5) From (), #= n = X s j or #=( n ; #=) = X j=1 s j (6) Theorem 3. Let f be a function on V n and denote the sequence off. Then X ( j ) 3n #= where the equality holds if and only if f is a plateaued function. Proof. By using (4), (1) and (6), we obtain n X j < s j ( j ) X vut X ( n X ;1 s j )( j < js j ( j )j v ut#= X ( j )) n s( X j < s j )( X j < ( j )) ( j ) (7) P Hence 3n #= ( j ). We have proved the inequality P in the theorem. Assume that the equality in the theorem holds i.e., ( j ) = 3n. #= This implies that all the qualities in (7) hold. Hence X X n = s j ( j )= js j ( j )j = j < j < = vut X ( n X ;1 s j )( v ut#= X ( j )) = n s( X j < s j )( X j < ( j )) ( j ) (8) Applying the property of Holder's Inequality to(8),we conclude that j( j )j = js j j j < (9) where >0 is a constant. Applying (9) and (6) to (8), we have n = X j < js j ( j )j = vut X #= n s j = #=n (10)

8 From (10), we have P j < s j ( j )= P j < js j ( j )j. Hence (9) can be expressed more accurately as follows ( j )=s j j < (11) where >0isaconstant. From (8), it is easy to see that P j < s j = P s j. Hence Combining (11), (1) and (3), we have s j =0if j 6< (1) (s 0 s 1 ::: s )=(( 0 ) ( 1 ) ::: ( )) (13) Comparing (13) and (), we obtain H n =(( 0 ) ( 1 ) ::: ( )) (14) Further comparing (14) and the equation in Lemma, we obtain n =(h `0i ::: h ` i ) (15) Noticing that is a real valued (0 1)-sequence, containing #= ones and by using Parseval's equation, we obtain n (#=) = n. Hence (#=) = n, and there exists an integer r with 0 r n such that#= = r and = n;r.from (15) it is easy to see that h `ji = n;r or 0. Hence r must be even. This proves that f is a plateaued function. Conversely assume that f is a plateaued function. Then there exists an even number r, 0 r n, such that #= = r and h `ji = n;r or 0, Due to Lemma, we have P ( j ) = ;n P h `ji 4 = ;n r 4n;r = 3n;r. Hence we have proved P ( j )= 3n #=. Lemma 3. Let f be a function on V n and denote the sequence off. Then the nonlinearity N f of f satises N f n;1 ; p#= n;1,where the equality holds if and only if f is a plateaued function. Proof. Set p M =maxfjh `jijj j =0 1 ::: n ; 1g, where `j is the jth row of H n,0j n ; 1. Using Parseval's equation, we obtain p M #=n. Due to Lemma 1, N f n;1 ; p#= n;1. Assume that f is a plateaued function. Then there exists an even number r, 0 r n, such that #= = r and each h `ji takes either the value of n;r or 0 only, where `j denotes the jth row ofh n, j =0 1 ::: n ; 1. Hence p M = n; 1 r. By using Lemma 1, we have N f = n;1 ; n; 1 r;1 = n;1 ; n;1 p#=. Conversely assume that N f = n;1 ; p#= n;1. From Lemma 1, we have also N f = n;1 ; 1 p p M. Hence p M #= = n. Since both p M and p #= are integers and powers of two, we can let #= = r, where r is an integer with 0 r P n. Hence p M = n; r. Obviously r is even. From Parseval's equation, j= h `ji = n, and the fact that p M #= = n, we conclude that h `ji = n;r for all j =. This proves that f is a plateaued function.

9 From the proof of Lemma 3, we can see that Lemma 3 can be stated in a dierent way as follows. Lemma 4. Let f be a function f on V n and denote the sequence of f. Set p M = maxfjh `jijj j = 0 1 ::: n ; 1g, where `j is the jth row of H n, 0 j n ; 1. Then p M p #= n where the equality holds if and only if f is a plateaued function. Summarizing Theorem 3, Lemmas 3 and 4, we conclude Theorem 4. Let f be a function on V n and denote the sequence of f. Set p M = maxfjh `jijj j = 0 1 ::: n ; 1g, where `j is the jth row of H n, 0 j n ; 1. Then the following statements are equivalent: (i) f is a plateaued function on V n, (ii) there exists an even number r, 0 r n, such that #= = r and each h `ji takes the value of n;r P or 0 only, where `j denotes the jth row of H n, j = 0 1 ::: n ; 1, (iii) ( j ) = 3n, (iv) the #= nonlinearity of f, N f, satises N f = n;1 ; p#= n;1, (v) p p M #= = n, (vi) N f = n;1 ; ; n ;1 q P ( j ). Proof. Due to Denition 9, Theorem 3, Lemmas 3 and 4, (i), (ii), (iii), (iv) and (v) hold. (vi) follows from (iii) and (iv). Theorem 5. Let f be afunction on V n and denote the sequence off. Then the nonlinearity N f of f satises v N f n;1 ; ; n ut n X ;1 ;1 ( j ) where the equality holds if and only if f is a plateaued function on V n. Proof. Set p M = maxfjh `jijj j =0 1 ::: n ; 1g. Multiplying the equality in P h `ji. Lemma by itself, wehave n P ( j )= P h `ji 4 p M Applying Parseval's equation to the above equality, we have P ( j ) n p M. Hence p M ; n q P ( j ). By using Lemma 1, we have proved the inequality N f n;1 ; ; n ;1 q P ( j ). The rest part of the theorem can be proved by using Theorem 4. Theorem 3, Lemmas 3 and 4 and Theorem 4 represent characterizations of plateaued functions. To close this section, let us note that since ( 0 ) = n and #= n, we have n;1 ; ; n ;1 q P ( j ) n;1 ; n ;1 and n;1 ; n;1 p#= n;1 ; n ;1. Hence both inequalities N f n;1 ; ; n ;1 q P ( j )and N f n;1 ; p#= n;1 N f n;1 ; n ;1. are improvements on a more commonly used inequality

10 6 Other Cryptographic Properties of Plateaued Functions By using Lemma 1, we conclude Proposition 4. Let f be arth-order plateaued function on V n. Then the nonlinearity N f of f satises N f = n;1 ; n; r ;1. The following result is the same as Theorem 18 of [13]. Lemma 5. Let f be a function on V n (n ), be the sequence off, andp is an integer, p n. Ifh `ji 0 (mod n;p+ ), where `j is the jth row of H n, j =0 1 ::: n ; 1, then the degree off is at most p ; 1. Using Lemma 5, we obtain Proposition 5. Let f be arth-order plateaued function on V n. Then the algebraic degree off, denoted bydeg(f), satises deg(f) r +1. We note that the upper bound on degree in Proposition 5 is tight for r<n. For the case of r = n, the function, mentioned in Proposition 5, is a bent function on V n. [8] gives a better upper bound on degree of bent function on V n.that bound is n. The following property of plateaued functions can be veried by noting their denition. Proposition 6. Let f be arth-order plateaued function on V n, B be any nonsingular n n matrix over GF () and be anyvector in V n. Then f(xb ) is also a rth-order plateaued function on V n. Theorem 6. Let f be arth-order plateaued function on V n. Then the linearity of f, q, satises q n ; r, wheretheequality holds if and only if f is partiallybent. Proof. There exists a nonsingular nn matrix B over GF () such that f(xb) = g(y) h(z), where x =(y z), y V p, z V q, p + q = n, g is a function on V p and g has no non-zero linear structures, h is a linear function on V q. Hence q is equal to the linearity off. Set f (x) =f(xb). Let, and denote the sequences of f, g and h respectively. Itiseasyto verify =, where denotes the Kronecker product [1]. From the structure of H n, each rowofh n, L, can be expressed as L = ` e, where ` is a row ofh p and e is a row ofh q.itiseasytoverify h Li = h `ih ei (16) Since h is linear, is a row ofh q. Replace e by in (16), we have where L 0 = ` is still a row ofh n. h L 0 i = h `ih i = q h `i (17)

11 Note that f is also a rth-order plateaued function on V n. Hence h Li takes the value of n; 1 r or zero only. Due to (17), h `i takes the value of n; 1 r;q = p; 1 r or zero only. This proves that g is a rth-order plateaued function on V p. Hence r p and r n ; q, i.e.,qn ; r. Assume that q = n ; r. Thenp = r. From (17), each h `i takes the value of r = p or zero only, where ` is any rowofh p. Hence applying Parseval's equation to g, we can conclude that for each row ` of H p, h `i cannot take the value of zero. In other words, for each row ` of H p, h `i takes the value of p only. Hence we have proved that g is a bent function on V p. Due to Theorem, f is partially-bent. Conversely, assume that f is partially-bent. Due to Theorem, g is a bent function on V p. Hence each h `i takes the value of p only, where ` is any row ofh p. Note that both and e are rows of H q hence h ei takes the value q or zero only. From (16), we conclude that h Li takes the value q+ p or zero only. Recall f is a rth-order plateaued function on V n. Hence q + p = n ; r. This implies that r = p, i.e., q = n ; r. 7 Relationships between Partially-bent Functions and Plateaued Functions To examine more profound relationships between partially-bent functions and plateaued functions, we introduce one more characterization of partially-bent functions as follows. Theorem 7. For every function f on V n,wehave n ; #= #= M n (#<;1) where the equality holds if and only if f is partially-bent. Proof. From Notation, we have s M s 0 = #=. As a consequence of (5), we obtain the inequality in the theorem. Next we consider the equality in the theorem. Assume that the equality holds, i.e., M (#<;1)#= = n ( n ; #=) (18) From (4), n ( n ; #=) X X j < j>0 js j ( j )j M js j j M (#<;1)#= (19) j < j>0 From (18), we can see that all the equalities in (19) hold. Hence M (#<;1)#= = X j < j>0 js j ( j )j (0)

12 Note that js j j#= and j( j )j M, for j>0. Hence from (0), we obtain js j j =#= whenever j <and j>0 (1) and j( j )j = M for all j <with j>0. P Applying (1) to (6), and noticing s 0 =#=, we obtain #= n = P s j j < s j = (#<)(#=). This results in n (#<)(#=). Together with the inequality intheorem, it proves that (#<)(#=) = n, i.e., f is a partiallybent function. Conversely assume that f is a partially-bent function, i.e., (#=)(#<) = n. Then the inequality in the theorem is specialized as M ( n ; #=) n ( n ; #=) () We need to examine two cases. Case 1: #= = n.obviously the equality in () holds. Case : #= 6= n. From (), we have M n. Thus M = n. This completes the proof. Next we consider a non-bent function f. With such a function wehave M 6= 0. Thus from Theorem 7, we have the following result. Corollary 1. For every non-bent function f on V n, we have (#=)(#<) n ( n ; #=) M +#= where the equality holds if and only if f is partially-bent (but not bent). Proposition 7. For every non-bent function f, we have n ( n ; #=) +#= n M where the equality holds if and only if #= = n or f has a non-zero linear structure. Proof. Since M n, the inequality isobvious. On the other hand, it is easy to see that the equality holds if and only if ( n ; M )( n ; #=) =0. From Proposition 7, one observes that for any non-bent function f, Corollary 1 implies Theorem. Theorem 8. Let f be a rth-order plateaued function. Then the following statements are equivalent: (i) f is a partially-bent function, (ii) #< = n;r, (iii) M (#<;1) = n;r ; n, (iv) the linearity q of f satises q = n ; r. Proof. (i) =) (ii). Since f is a partially-bent function, we have(#=)(#<) = n. As f is a rth-order plateaued function, #= = r and hence #< = n;r.

13 (ii) =) (iii). It is obviously true when r = n. Now consider the case of r<n. Using Theorem 7, we have n ;#= M #= n (#<;1) which is specialized as n;r ; 1 M n (n;r ; 1) (3) From (3) and the fact that M n,we obtain n;r ; 1 M n ( n;r ; 1) n;r ; 1. Hence M = n or r = n. (iii) obviously holds when M = n.when r = n, wehave #< = 1 and hence (iii) also holds. (iii) =) (i). Note that (iii) implies n ;#= = M #= n (#< ;1) where #= = r. By Theorem 7, f is partially-bent. Due to Theorem 6, (iv) () (i). 8 Construction of Plateaued Functions and Disproof of The Converse of Proposition 3 Lemma 6. For any positive integers t and k with k < t < k, there exist t non-zero vectors in V k,say 0 1, :::, t ;1, such that for any non-zero vector V k, the t -set f' 0 () ' 1 () ::: ' ()g, contains both zero andone, t;1 where ' is the linear function on V k dened by' (x) =h xi. Proof. We choose k linearly independent vectors in V k, say 1 ::: k. From linear algebra, (h 1 i ::: h k i) goes through all the non-zero vectors in V k exactly once while goes through all the non-zero vectors in V k. Hence there exists a unique satisfying (h 1 i ::: h k i)=(1 ::: 1). Furthermore, for any non-zero vector V k with 6=, fh 1 i ::: h k ig contains both one and zero. Let 0 be a non-zero vector in V k, such that h 0 i =0.Obviously 0 6 f 1 ::: k g. If t > k +1, choose other t ; k ; 1 non-zero vectors in V k, k+1 ::: t ;1, such that 0 1 ::: k k+1 ::: t ;1 are mutually distinct. It is easy to see that for any non-zero vector V k, f 0 1 ::: t ;1 g contains both one and zero. This proves the lemma. The following example proves the existence of rth-order plateaued functions on V n, where 0 < r < n, and disproves the converse of Proposition 3. We note that in this section, we will not discuss nth-order and 0th-order plateaued function on V n as they are bent and ane functions respectively. Example 1. Let t and k be positiveintegers with k< t < k.let 0 1 ::: t ;1 be the t non-zero vectors in V k dened in Lemma 6. Let j denote the sequence of ' j, j =0 1 ::: t ; 1. Set = 0 1 ::: t ;1.Letn = k + t and f be the function on V n whose sequence is. By using the properties of H n, it is easy to verify that each h `ji takes the value of k or 0 only, where `i is the ith row ofh n, i =0 1 ::: n ; 1. Using Parseval's equation, we obtain#= = n;k.letr =n ; k =t. Then f is a rth-order plateaued function on V n.dueton = k + t, r =n ; k =t and t<k,0<r<nholds.

14 We now consider () with the function f. Let = ( ) where V t, V k.notethat () = (P ji= h j i ()i if 6= 0 P t ;1 h j j ()i if = 0 but 6= 0 (4) where j V t is the binary representation of an integer j, j =0 1 ::: n ; 1. Since ' j 6= ' i if j 6= i, where ' (x) =h xi, ' j (x) ' i (x ) is a nonzero linear function and hence balanced. We have nowproved h j i ()i = 0 for j 6= i. Hence () = 0 when 6= 0. On the other hand, for any linear function ' on V k,wehave '(x) '(x ) = '(). Hence h j j ()i = k if and only if ' j () = 0. In addition, h j j ()i = ; k if and only if ' j () = 1. By using Lemma 6, we have () = P t ;1 h j j ()i 6= t k = n for 6= 0. In summary, we have () 8 < : =0 if 6= 0 6= n if = 0 and 6= 0 = n if =0 (5) Since f is a rth-order plateaued function on V n and r<n, f is not bent, on the other hand, (5) shows that f has non-zero linear structures. Hence we conclude that f is not partially-bent. Hence we have proved that f is plateaued but not partially-bent. This disproves the converse of Proposition 3. f has some other interesting properties. In particular, due to Proposition 4, the nonlinearity N f of f satises N f = n;1 ; n; r ;1. Note that the sequenceofany non-zero linear function is (1 ;1)-balanced. Hence each j and = 0 1 ::: t ;1 are (1 ;1)-balanced. This implies that f is (0 1)-balanced. Since the function f is not partially-bent, by using Theorem, we have (#=)(#<) > n. This proves that #< > n;r. On the other hand, from (5), we have #< k = n; 1 r.thus we can conclude that n;r < #< n; 1 r. We end this example by noting that such functions as f exist on V n both for n even and odd. Now we summarize the relationships among bent, partially-bent and plateaued functions. Let B n denote the set of bent functions on V n, P n denote the set of partially-bent functions on V n and F n denote the set of plateaued functions on V n. Then the above results imply that B n P n F n, where denotes the relationship of proper subset. We further let G n denote the set of plateaued functions on V n that do not have non-zero linear structures and are not bent functions. The relationships among these classes of functions are shown in Figure 1. Example 1 proves that G n is nonempty. Next we consider how to improve the function in Example 1 so as to obtain a rth-order plateaued function on V n satisfying the SAC and all the properties mentioned in Example 1.

15 Fig. 1. Relationship among bent, partially bent, and plateaued functions Example. Note that if r>, i.e., t>1, then from Example 1, #< n; 1 r < n;1. In other words, #< c > n;1 where < c denotes the complementary set of <. Hence there exist n linearly independent vectors in < c. In other words, there exist n linearly independent vectors with respect to which f satises the propagation criterion. Hence we can choose a nonsingular n n matrix A over GF () such that g(x) =f(xa) satises the SAC (see [9]). The nonsingular linear transformation A does not alter any of the properties of f in Example 1 We can further improve the function in Example so as to obtain a rthorder plateaued functions on V n having the highest degree and satisfying all the properties in Example 1. Example 3. Given any vector =(i 1 ::: i s ) V t,we dene a function on V t by D (y) =(y 1 i1 ) (y t is ) where y =(y 1 ::: y t )and i =1 i indicates the binary complement of i. Let i1i p,(i 1 ::: i p ) V p, be the sequence of a function f i1i p (x 1 ::: x q ) on V q. Let be the concatenation of 000, 001, :::, 111, namely, = ( ::: 111 ). It is easy to verify that is the sequence of a function on V q+p given by f(y 1 ::: y p z 1 ::: z q )= M (i 1i p)vp D i1i p (y 1 ::: y p )f i1i p (z 1 ::: z q ): (6) Let j V t is the binary representation of integer j, j =0 1 ::: t ;1. Write 0 = ' 0, 1 = ' 1, :::, t;1 = ' t;1, where 0 1 ::: t ;1 are the same with those in Example 1 and ' = h xi.

16 Due to (6), the function f on V t+k, mentioned in Example 1 can be expressed as f(y z) = L V t D (y) (z). Case 1: L V t 6= 0. Write L V t =, where must be a non-zero linear function on V k. Note that each D (y) contains y 1 y t. Hence the term y 1 y t (z) survives in the nal algebraic normal form representation of f(y z) and hence the degree of f is t +1= r +1. Case : L V t = 0, i.e., L t ;1 ' j = 0. Note that there exist k ; 1 nonzero vectors in V k and k ; 1 > t. Hence we can replace ' byany non-zero t;1 linear function ' on V k, that diers from ' 0, ' 1, ::: '. This reduces Case t;1 to Case 1. We have now constructed a rth-order plateaued function with degree r + 1. Applying the discussions in Examples 1 and, we can obtain a rth-order plateaued function on V n having degree r + 1 and satisfying all the properties of the function constructed in Example 1. It should be noted that the function in this example achieves the highest possible algebraic degree given in Proposition 4. Thus the upper bound on the algebraic degree of plateaued functions, mentioned in Proposition 5, is tight. 9 Conclusions We have introduced and characterized a new class of functions called plateaued functions. These functions bring together various nonlinear characteristics. We have also shown that partially-bent functions are a proper subset of plateaued functions, which settles an open problem related to partially-bent functions. We have further demonstrated methods for constructing plateaued functions that have many cryptographically desirable properties. Acknowledgement The second author was supported by a Queen Elizabeth II Fellowship ( ). References 1. P. Camion, C. Carlet, P. Charpin, and N. Sendrier. On correlation-immune functions. In Advances in Cryptology - CRYPTO'91, volume 576, Lecture Notes in Computer Science, pages 87{100. Springer-Verlag, Berlin, Heidelberg, New York, Claude Carlet. Partially-bent functions. Designs, Codes and Cryptography, 3:135{ 145, Friedhelm Erwe. Dierential And Integral Calculus. Oliver And Boyd Ltd, Edinburgh And London, Xiao Guo-Zhen and J. L. Massey. A spectral characterization of correlationimmune combining functions. IEEE Transactions on Information Theory, 34(3):569{571, 1988.

17 5. F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes. North-Holland, Amsterdam, New York, Oxford, W. Meier and O. Staelbach. Nonlinearity criteria for cryptographic functions. In Advances in Cryptology -EUROCRYPT'89, volume 434, Lecture Notes in Computer Science, pages 549{56. Springer-Verlag, Berlin, Heidelberg, New York, B. Preneel, W. V. Leekwijck, L. V. Linden, R. Govaerts, and J. Vandewalle. Propagation characteristics of boolean functions. In Advances in Cryptology - EU- ROCRYPT'90, volume 437, Lecture Notes in Computer Science, pages 155{165. Springer-Verlag, Berlin, Heidelberg, New York, O. S. Rothaus. On \bent" functions. Journal of Combinatorial Theory, Ser. A, 0:300{305, J. Seberry, X. M. Zhang, and Y. Zheng. Improving the strict avalanche characteristics of cryptographic functions. Information Processing Letters, 50:37{41, J. Wang. The linear kernel of boolean functions and partially-bent functions. System Science and Mathematical Science, 10:6{11, A. F. Webster and S. E. Tavares. On the design of S-boxes. In Advances in Cryptology - CRYPTO'85, volume 19, Lecture Notes in Computer Science, pages 53{534. Springer-Verlag, Berlin, Heidelberg, New York, R. Yarlagadda and J. E. Hershey. Analysis and synthesis of bent sequences. IEE Proceedings (Part E), 136:11{13, X. M. Zhang, Y. Zheng, and Hideki Imai. Duality ofboolean functions and its cryptographic signicance. In Advances in Cryptology - ICICS'97, volume 1334, Lecture Notes in Computer Science, pages 159{169. Springer-Verlag, Berlin, Heidelberg, New York, 1997.

Non-Separable Cryptographic Functions

International Symposium on Information Theory and Its Applications Honolulu, Hawaii, USA, November 5 8, 2000 Non-Separable Cryptographic Functions Yuliang Zheng and Xian-Mo Zhang School of Network Computing